The first StrictlyVC of 2026 hits SF on April 30. Tickets are going fast. Register now.

Save up to $680 on your Disrupt 2026 pass. Ends 11:59 p.m. PT tonight. REGISTER NOW.

Mastodon says its flagship server was hit by a DDoS attack Zack Whittaker Sarah Perez 9:58 AM PDT · April 20, 2026

Mastodon’s flagship server was hit by a distributed denial-of-service attack on Monday, the social networking software maker said, which rendered the instance unusable at times.

Much of the site was inaccessible, throwing error messages or displaying a full-screen outage warning.

The makers of the decentralized social networking software, which runs its official mastodon.social instance, said in a status update at around 7 a.m. ET on Monday that it was investigating the cyberattack.

By 9:05 a.m. ET, Mastodon said it implemented a “countermeasure against the DDoS attack, and the site is accessible.” However, the company warned that some instability may continue to be seen as the attack is ongoing.

The cyberattack targeting Mastodon comes days after Bluesky, another decentralized social network, resolved much of its days-long outages following a lengthy DDoS attack. As of Bluesky’s most recent update on April 17, the DDoS attack continues, but its service has been stable since April 16 at 9 PM PDT.

Representatives for Mastodon did not immediately comment on the cause of the cyberattack when contacted by TechCrunch.

Distributed denial-of-service (DDoS) attacks rely on sending massive amounts of junk web traffic towards an app or website’s servers, with the aim of knocking them offline. These cyberattacks don’t involve data theft, but DDoS attacks can be disruptive to users.

DDoS attacks have become exponentially more powerful over the years. Last year, network security company Cloudflare said it mitigated what it says is the largest DDoS attack to date, measuring a peak of 29.7 terabits per second, the equivalent of filling up thousands of hard drives with data every minute.

When aimed at decentralized social networking services, the attacks can cause instability and outages, but not everyone is taken offline. In Bluesky’s case, for instance, those who had moved their account to other providers, like Blacksky, which run on the same protocol and interoperate with Bluesky, were not impacted.

Similarly, the attack on Mastodon has so far targeted only the larger server (mastodon.social) and not the many smaller instances that make up the full Mastodon social network.

He can be reached via encrypted message at zackwhittaker.1337 on Signal. You can also contact him by email, or to verify outreach, at zack.whittaker@techcrunch.com.

April 30 San Francisco, CA


StrictlyVC kicks off the year in SF. Get in the room for unfiltered fireside chats with industry leaders, insider VC insights, and high-value connections that actually move the needle. Tickets are limited.